Endpoint

7/31/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Accidental Cryptojackers: A Tale of Two Sites

Why website operators need to know with whom they are doing business and how to close the loop on third-party vulnerabilities.

In the digital world, a company's website is a key touchpoint for its customers, but it also serves as an entry point for malicious actors. Thousands of websites operated by some of the world's most recognized companies and government agencies have been compromised by malicious actors anxious to harvest web visitors' CPU power for their mining operations. The root cause of these compromised websites in many cases is third-party code suppliers who usually have inadequate security and give access through a trusted connection to thousands of visitors of popular e-commerce sites.

The soaring number of cryptomining malware incidents reflects the growing interest in cryptomining itself. The most widely used tool is the Coinhive JavaScript for mining Monero digital currency, originally developed for website owners to make more money through mining. Immediately after Coinhive's launch in late 2017, clones like Coinimp, deepMiner, Crypto-Loot, and Minr appeared in rapid succession to grab their share of a fast-growing market.

Today, cryptomining represents a new frontier for hackers to launch their attacks. One common hijacking method involves embedding cryptomining code under ad campaigns that appear on a webpage or run in a browser. Another involves the unauthorized installation of cryptomining code on a website. Regardless, whether victims browse the site or view the ad, the malicious code secretly harnesses the machine's or device's CPU power.

Cryptomining in Action
Recently, The Media Trust's Digital Security & Operations (DSO) team sounded the alarm when they detected a spate of incidents involving:

1. A web analytics provider that we will refer to as "Webcount"

2. A popular car research aggregator, referenced as "Carsearch"

While the team spotted a few incidents of cryptomining malware in the past, more recent incidents are different because they involve more sophisticated campaigns using the digital supply chain as a distribution channel to target brands trusted by consumers and businesses 

In the "Webcount" case, the DSO team identified the cryptomining code while scanning client websites for unauthorized code. Associated with a well-known file extension, the anomalous code was seen on every client website running the Webcount analytics. The same file extension coincided with previous Coinhive incidents identified and thwarted by the DSO team. The cryptojacking malware developers made no effort to obfuscate the malicious code. On the contrary, they avoided antivirus detection by using legitimate code throughout the entire file. Once the code made a call to a malicious domain never before seen in any major domain or IP verification analysis, the DSO team alerted the client and terminated the malware's source.

Figure 1 shows how the Webcount cryptojacker works. A web user visits a restaurant website that runs the compromised Webcount analytics. Line two starts the homepage's creative elements being combined to render the page. Line 38 makes the JavaScript URL call to the Webcount site, which is followed by a call to the malicious domain. Several calls are made from this domain to malicious JavaScript files that take over the user's browser and initiate the cryptomining process. Instances involving the Webcount cryptojacker are distinct by their higher-than-average number of domain calls. The cryptojacker runs for as long as the user is on the restaurant's site. It is worth noting that while Webcount analytics are widely used, Webcount's web servers previously have fallen victim to hackers. This poor track record highlights the importance of closely monitoring the activities — authorized and otherwise — of third parties used in the highly dynamic digital environment.

Figure 1
Image Source: The Media Trust
Image Source: The Media Trust

The "Carsearch" incident involves the same Coinhive code but uses a slightly different attack method. (See Figure 2 below). When users browse through the Carsearch website, they are led to "CarloansRUs" to learn more about their financing options. As users visit the CarloansRUs pages and meet key conditions, such as location, browser, time of day, screen size, etc. (line 204), CarloansRUs serves a malicious JavaScript file. Line 205 shows repeated attempts to verify conditions. The code calls to a known malicious domain, "jqcdn.download," which then launches an attack on the users' browsers (line 136). Line 172 shows the point where the attack begins.

Figure 2
Image Source: The Media Trust
Image Source: The Media Trust

Webcount and CarloansRUs are ideal attack vectors because they give access to a large number of site visitors who will linger on the sites and give hackers enough time to mine for cryptocurrencies.

How to Avoid Cryptojacking
Websites depend on the support of third-party code providers. A typical commercial website has an average of 100 third parties supporting its various features, such as analytics, content management systems, customer recognition platforms, social widgets, and more. Third parties account for anywhere between 50% to 95% of website code execution. In effect, more than half of all code on a website lies outside a company's direct control. To further complicate matters, the inventory of third parties can change each day.

The Webcount and CarloansRUs cases demonstrate why website operators need to know with whom they are doing business and how to close the loop on third-party vulnerabilities related to analytics, data management, customer identification, chat, image library, and widgets. Companies must create and implement an in-depth digital vendor risk management strategy to identify and decrease the potential security risk associated with third-party vendors. Today's digital environment requires vendor management strategies that are able to adapt to the ever-changing nature of digital assets and provide compliance with a myriad of new digital privacy regulations.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Patrick Ciavolella is digital security & operations director at The Media Trust. He has been working at the company for over 11 years, protecting clients' digital ecosystems from the ever-evolving threat landscape. His team is at the forefront of exposing hard-to-detect ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.